feat: support var (#15)

* feat:suport env var

* feat:suport env var

* (fix): typo

* (fix): typo in examples

* feat:support env in lambda

* chore: scan via central workflow for public module

* (update): remove zip file

Co-authored-by: sedthawut tipkanpirome <40098197+xshot9011@users.noreply.github.com>

Author: lycbrian

.github/workflows/code-scan.yml

@@ -2,6 +2,17 @@
 
 All notable changes to this module will be documented in this file.
 
+## [v1.1.4] - 2022-12-15
+
+### Added
+- var `environment_variables`
+- add dynamic `environment` in resource `aws_lambda_function.this`
+- add access_key_rotate example
+
+### Changed
+
+- fix typo, change from `pricipal` to `principal` in resource `aws_lambda_permission.allow_serivce`
+
 ## [v1.1.3] - 2022-11-23
 
 ### Added

CHANGELOG.md

@@ -0,0 +1,35 @@
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name                                                                      | Version  |
+|---------------------------------------------------------------------------|----------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws)                   | >= 4.0.0 |
+
+## Providers
+
+No providers.
+
+## Modules
+
+| Name                                                   | Source | Version |
+|--------------------------------------------------------|--------|---------|
+| <a name="module_lambda"></a> [lambda](#module\_lambda) | ../../ | n/a     |
+
+## Resources
+
+No resources.
+
+## Inputs
+
+| Name                                                                  | Description                                                                                                  | Type       | Default | Required |
+|-----------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------|------------|---------|:--------:|
+| <a name="input_custom_tags"></a> [custom\_tags](#input\_custom\_tags) | Custom tags which can be passed on to the AWS resources. They should be key value pairs having distinct keys | `map(any)` | `{}`    |    no    |
+| <a name="input_environment"></a> [environment](#input\_environment)   | Environment Variable used as a prefix                                                                        | `string`   | n/a     |   yes    |
+| <a name="input_name"></a> [name](#input\_name)                        | Name of the ECS cluster and s3 also redis to create                                                          | `string`   | n/a     |   yes    |
+| <a name="input_prefix"></a> [prefix](#input\_prefix)                  | The prefix name of customer to be displayed in AWS console and resource                                      | `string`   | n/a     |   yes    |
+
+## Outputs
+
+No outputs.
+<!-- END_TF_DOCS -->

README.md

@@ -0,0 +1,215 @@
+locals {
+  name              = format("%s-%s-%s", "oozou", "test", "app")
+}
+
+data "aws_caller_identity" "this" {}
+data "aws_region" "this" {}
+
+/* -------------------------------------------------------------------------- */
+/*                              SNS Notification                              */
+/* -------------------------------------------------------------------------- */
+data "aws_iam_policy_document" "lambda_access_kms_policy" {
+  statement {
+    sid    = "AllowLambdaToPublishMessageToEncryptedSNS"
+    effect = "Allow"
+    actions = [
+      "kms:Decrypt",
+      "kms:GenerateDataKey*",
+    ]
+    resources = ["*"]
+    principals {
+      identifiers = ["cloudwatch.amazonaws.com", "events.amazonaws.com"]
+      type        = "Service"
+    }
+  }
+}
+
+# TODO fix KMS naming in SNS module
+module "sns" {
+  source  = "oozou/sns/aws"
+  version = "1.0.1"
+
+  prefix       = "oozou"
+  environment  = "test"
+  name         = format("%s-accesskey-rotate", "app") 
+  display_name = "Alerting Center"
+
+  sns_permission_configuration = {
+    allow_cloudwatch_to_publish_alert = {
+      pricipal = "cloudwatch.amazonaws.com"
+    }
+    allow_eventbridge_to_publish_alert = {
+      pricipal = "events.amazonaws.com"
+    }
+  }
+
+  subscription_configurations = {
+    oozou_admin = {
+      protocol  = "email"
+      addresses = ["xxx@xxx.com"]
+      # filter_policy = jsonencode(var.admin_filter_polciy)
+    }
+  }
+
+  additional_kms_key_policies = [data.aws_iam_policy_document.lambda_access_kms_policy.json]
+
+  tags = {}
+}
+
+/* -------------------------------------------------------------------------- */
+/*                                   Lambda                                   */
+/* -------------------------------------------------------------------------- */
+
+resource "aws_iam_policy" "sns_publish_policy" {
+  name = format("%s-sns-publish-access", local.name)
+  path = "/"
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = [
+          "sns:Publish",
+        ]
+        Effect   = "Allow"
+        "Resource": module.sns.sns_topic_arn
+      },
+    ]
+  })
+}
+
+resource "aws_iam_policy" "iam_updateKey_policy" {
+  name = format("%s-iam-updatekey-access", local.name)
+  path = "/"
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = [
+          "iam:CreateAccessKey",
+          "iam:UpdateAccessKey",
+          "iam:ListAccessKeys",
+          "iam:DeleteAccessKey",
+        ]
+        Effect   = "Allow"
+        "Resource": aws_iam_user.s3_presigned_user.arn
+      },
+    ]
+  })
+}
+
+resource "aws_iam_policy" "secretsmanager_updatesecret_policy" {
+  name = format("%s-secretsmanager-updatesecret-access", local.name)
+  path = "/"
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = [
+            "secretsmanager:GetSecretValue",
+            "secretsmanager:PutSecretValue"
+        ]
+        Effect   = "Allow"
+          "Resource": aws_secretsmanager_secret.accesskey.arn
+      },
+    ]
+  })
+}
+
+module "lambda_accesskey_rotate" {
+  source = "../.."
+
+  prefix      = "oozou"
+  environment = "test"
+  name        = "accesskey_rotate"
+
+  is_edge = false
+
+  # Source code
+  source_code_dir           = "./src"
+  file_globs                = ["access_key_rotate.py"]
+  compressed_local_file_dir = "./outputs"
+
+  # Lambda Env
+  runtime = "python3.9"
+  handler = "access_key_rotate.handler"
+  environment_variables = {
+    iam_username    = aws_iam_user.s3_presigned_user.name
+    secret_name      = aws_secretsmanager_secret.accesskey.name
+    sns_topic_arn   = module.sns.sns_topic_arn
+  }
+
+  # IAM
+  additional_lambda_role_policy_arns = [
+    aws_iam_policy.sns_publish_policy.arn,
+    aws_iam_policy.secretsmanager_updatesecret_policy.arn,
+    aws_iam_policy.iam_updateKey_policy.arn
+  ]
+
+  # Resource policy
+  lambda_permission_configurations = {
+    allow_trigger_from_eventbridge = {
+      principal   = "secretsmanager.amazonaws.com"
+    }
+  }
+
+
+  tags = {}
+}
+
+/* -------------------------------------------------------------------------- */
+/*                                   Secret                                   */
+/* -------------------------------------------------------------------------- */
+
+module "secret_kms_key" {
+  source  = "oozou/kms-key/aws"
+  version = "1.0.0"
+
+  name                 = format("%s-service-secrets", "app")
+  prefix               = "oozou"
+  environment          = "test"
+  key_type             = "service"
+  append_random_suffix = true
+  description          = format("Secure Secrets Manager's service secrets for service %s", "app")
+
+  service_key_info = {
+    aws_service_names  = tolist([format("secretsmanager.%s.amazonaws.com", data.aws_region.this.name)])
+    caller_account_ids = tolist([data.aws_caller_identity.this.account_id])
+  }
+
+  tags = merge({}, { "Name" : format("%s-service-secrets", "app") })
+}
+
+resource "aws_secretsmanager_secret" "accesskey" {
+  name                = format("%s/accesskey", local.name)
+  description = "access key secret with rotation"
+  kms_key_id  = module.secret_kms_key.key_arn
+  recovery_window_in_days = 0
+
+}
+
+resource "aws_secretsmanager_secret_rotation" "accesskey" {
+  secret_id           = aws_secretsmanager_secret.accesskey.id
+  rotation_lambda_arn = module.lambda_accesskey_rotate.function_arn 
+  rotation_rules {
+    automatically_after_days = 7
+  }
+  depends_on = [
+    module.lambda_accesskey_rotate
+  ]
+}
+
+/* -------------------------------------------------------------------------- */
+/*                                 IAM User                                   */
+/* -------------------------------------------------------------------------- */
+
+
+resource "aws_iam_user" "s3_presigned_user" {
+  name = "s3_presigned_user"
+  path = "/"
+
+  tags = merge({}, { "Name" = "s3_presigned_user" })
+}
+

examples/access_key_rotate/README.md

@@ -0,0 +1,62 @@
+import json
+import boto3
+import base64
+import datetime
+import os
+from datetime import date
+from botocore.exceptions import ClientError
+iam = boto3.client('iam')
+secretmanager = boto3.client('secretsmanager')
+IAM_UserName = os.environ['iam_username']
+secret_name = os.environ['secret_name']
+TopicArn = os.environ['sns_topic_arn']
+sns_send_report = boto3.client('sns',region_name='ap-southeast-1')
+
+def error_handling(message):
+    sns_send_report.publish(TopicArn=TopicArn, 
+                            Subject="Access key rotate failed", 
+                            Message="Access key rotate failed: "+str(message) )
+    raise
+    
+def check_key():
+    try:
+        response = iam.list_access_keys(UserName=IAM_UserName)
+        print(response)
+        if(len(response['AccessKeyMetadata']) >1):
+            raise Exception("more than 1 access key found")
+        elif(len(response['AccessKeyMetadata']) ==0):
+            raise Exception("no access key found")
+        return(response['AccessKeyMetadata'][0])
+    except ClientError as e:
+        error_handling(e)
+    except Exception  as e:
+        error_handling(e)
+    
+def create_key():
+    try:
+        response = iam.create_access_key(UserName=IAM_UserName)
+        accessKeyID = response['AccessKey']['AccessKeyId']
+        accessKeySecret = response['AccessKey']['SecretAccessKey']
+        json_data=json.dumps({'accessKeyID':accessKeyID,'accessKeySecret':accessKeySecret})
+        secmanagerv=secretmanager.put_secret_value(SecretId=secret_name,SecretString=json_data)
+    except ClientError as e:
+        error_handling(e)
+        
+def delete_key(accessKeyMetadata):
+    try:
+        userName = accessKeyMetadata['UserName']
+        accessKeyId = accessKeyMetadata['AccessKeyId']
+        iam.update_access_key(AccessKeyId=accessKeyId,Status='Inactive',UserName=userName)
+        iam.delete_access_key (UserName=userName,AccessKeyId=accessKeyId)
+    except ClientError as e:
+        error_handling(e)
+        
+def handler(event, context):
+    # get the existing key
+    accessKeyMetadata = check_key()
+    
+    # create new accesskey and update key in secret manager
+    create_key()
+    
+    # delete the old key
+    delete_key(accessKeyMetadata)

examples/access_key_rotate/main.tf

@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.0.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 4.0.0"
+    }
+  }
+}

examples/access_key_rotate/outputs.tf

@@ -41,16 +41,16 @@ module "lambda" {
   # Resource policy
   lambda_permission_configurations = {
     lambda_on_my_account = {
-      pricipal   = "apigateway.amazonaws.com"
+      principal  = "apigateway.amazonaws.com"
       source_arn = "arn:aws:execute-api:ap-southeast-1:557291035112:lk36vflbha/*/*/"
     }
     lambda_on_my_another_account_wrong = {
-      pricipal       = "apigateway.amazonaws.com"
+      principal      = "apigateway.amazonaws.com"
       source_arn     = "arn:aws:execute-api:ap-southeast-1:224563527112:q6pwa6wgr6/*/*/"
       source_account = "557291035112"
     }
     lambda_on_my_another_account_correct = {
-      pricipal   = "apigateway.amazonaws.com"
+      principal  = "apigateway.amazonaws.com"
       source_arn = "arn:aws:execute-api:ap-southeast-1:557291035112:wpj4t3scmb/*/*/"
     }
   }